| Summary: | <net-libs/webkit-gtk-2.14.4: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Pacho Ramos <pacho> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | gnome |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://webkitgtk.org/security/WSA-2017-0001.html https://webkitgtk.org/security/WSA-2017-0002.html | ||
| Whiteboard: | A2 [glsa cve cleanup] | ||
| Package list: |
net-libs/webkit-gtk-2.14.5
|
Runtime testing required: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 608964 | ||
|
Description
Pacho Ramos
2017-02-11 13:39:51 UTC
Removing www-client/epiphany-3.20.6 as that doesn't fix security bugs, 3.20.7 does. We should handle that in a separate security bug too though imho (after bumped). Adding webkit-gtk CVEs as aliases too From ${URL}:
WebKitGTK+ Security Advisory WSA-2017-0002
Date Reported: February 10, 2017
Advisory ID: WSA-2017-0002
CVE identifiers: CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373.
Several vulnerabilities were discovered in WebKitGTK+.
CVE-2017-2350
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Gareth Heyes of Portswigger Web Security.
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A prototype access issue was addressed through improved exception handling.
CVE-2017-2354
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Neymar of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative.
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-2355
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Team Pangu and lokihardt at PwnFest 2016.
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory initialization issue was addressed through improved memory handling.
CVE-2017-2356
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Team Pangu and lokihardt at PwnFest 2016.
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2017-2362
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Ivan Fratric of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-2363
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic.
CVE-2017-2364
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic.
CVE-2017-2365
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A validation issue existed in variable handling. This issue was addressed through improved validation.
CVE-2017-2366
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2017-2369
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Ivan Fratric of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2017-2371
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: A malicious website can open popups. Description: An issue existed in the handling of blocking popups. This was addressed through improved input validation.
CVE-2017-2373
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Ivan Fratric of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.
Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html
please note that epiphany and webkit-gtk need to go together as, otherwise, this webkit-gtk will break current epiphany stable Also, I tried to bump 3.20.7 epiphany but I am waiting for https://bugzilla.gnome.org/show_bug.cgi?id=778495 fixed epiphany that works with this in the tree amd64/x86 stable Just like with other open webkit-gtk security bugs, we can't cleanup SLOT=2 and SLOT=3 ebuilds due to consumers. We should be able to cleanup 2.12.5 though. Message from upstream: "The WebKitGTK+ 2.14.4 release broke WebKit for users with HiDPI displays. Please do not update to this version. We will release a corrected version shortly, probably tomorrow. Apologies for the inconvenience." We will need to wait for that 2.14.5 and stable it here under security as well, due to the serious usability regression the one stabled is apparently causing. Delaying 2.12.5 cleanup till then as well from my end at least, for HiDPI users to have a fallback until 2.14.5 is available. commit bd9b427d1077d360e444052f03cef2803f307d9a Author: Mart Raudsepp <leio@gentoo.org> Date: Wed Feb 15 13:25:16 2017 +0200 net-libs/webkit-gtk: bump to 2.14.5 for serious HiDPI regression fixes * Fix rendering of non-accelerated contents with HiDPI. * Revert the fix for rendering issues in long documents with transparent background because it caused issues in HiDPI. amd/x86: Please stabilize the newer 2.14.5 that fixes serious regressions in HiDPI support that the 2.14.4 caused for stable users alongside the security fixes. With 2.14.4, HiDPI (e.g GDK_SCALE=2 epiphany) is completely broken, usually not even rendering content visibly, potentially affecting non-Web things as well (yelp, evolution mail, etc). amd64 stable x86 stable. Maintainer(s), please cleanup. cleanup of vulnerable webkit-gtk-2.12.5 done; webkit-gtk-2.4* can't be cleaned up yet due to consumers on those parallel installable SLOTs, as for other open webkit-gtk security bugs We never received a security bug for https://webkitgtk.org/security/WSA-2017-0001.html either, so we were late in stabilizing 2.14.3 or such before for the previous batch of security issues and received some bad PR due to that. Adding the CVEs and link here too; might want to reconsider the severity, but I doubt it goes higher than current A2. GLSA will need to include the old stuff too then at least... This issue was resolved and addressed in GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15 by GLSA coordinator Thomas Deutschmann (whissi). |